The trick in AI policy is not deciding whether artificial intelligence is risky. Of course it is. So are electricity, aviation, pharmaceuticals, and teenagers with driver’s licenses. The harder question is where the risk attaches, and whether a given proposed fix targets that point or simply hands policymakers a very large hammer labeled “AI.”
A recent post by Dean Ball, a senior fellow at the Foundation for American Innovation, tees up that familiar tension. On one hand, there is a strong case against broad, ex ante regulation of AI systems. On the other, highly capable systems may pose risks that are hard to dismiss—particularly in areas like cyber operations or biosecurity. The question is how to reconcile those instincts without defaulting to heavy-handed control.
That framing is useful. It also leaves something important underspecified.
The debate still tends to treat “AI” as a single object of governance, rather than a layered system in which different interventions operate in very different ways. Knowing Dean Ball personally, I doubt he intended that simplification. But his post could leave that impression. It is worth unpacking why the distinction matters.
Once those layers collapse, any risk can justify sweeping oversight. Once they are separated, many proposed interventions look far less precise than their advocates suggest.
Intermediaries, Incentives, and Illusions of Independence
One proposal gaining traction in this space is the idea of independent verification organizations (IVOs). The basic structure is straightforward: governments set outcome-based safety goals, and licensed third parties verify whether AI systems meet them. Firms that opt in receive certification benefits, including reputational gains and, in some cases, legal safe harbors.
At a high level, this moves beyond traditional command-and-control regulation. It aims to shape incentives rather than dictate design choices, while leveraging technical expertise outside the state. That has real appeal. In simulated environments, verification appears to push firms toward engaging underlying problems, rather than defaulting to defensive posturing.
Once you move from concept to implementation, though, the structure becomes clearer. Independent verifiers need licenses. They need access to proprietary systems. They need authority to compel information disclosure and, ultimately, to suspend or revoke certifications. Without those features, the framework does not work as intended.
In other words, what starts as a market-based mechanism depends on a fairly robust enforcement apparatus. The system does not replace state oversight so much as reorganize it around a new set of intermediaries. If the underlying problem is that legal categories fail to track capability, building a system that depends on those categories being precise enough to audit may not solve the problem—it may just relocate it.
That raises familiar institutional concerns. Verifiers are paid by the firms they assess. They operate in a setting where maintaining relationships can conflict with enforcing standards. The parallels to earlier verification regimes—most notably the credit-rating ecosystem—are hard to miss. Ensuring independence in that context is not a theoretical challenge. Relatedly, system-level interventions risk shaping competitive outcomes in ways only loosely tied to technical merit, with downstream effects across the broader ecosystem.
More fundamentally, the IVO model operates at a level that does not map well onto the risk profile or structural characteristics of AI systems. It evaluates systems as a whole, monitors deployments, and triggers recertification when systems change. That pulls policy toward continuous oversight of model behavior. It also blurs the line between public policy and private contracting. That boundary matters, particularly in an international context, where firms’ credibility as independent actors underpins their global position.
If the concern is misuse of specific capabilities—as it arguably should be—this is an indirect and often inefficient approach.
Ball’s recent comments on EconTalk underscore the tension. He flagged the mismatch between legal categories and technical capability, as well as the risks of state leverage over private firms. Those concerns complicate proposals that rely on formal verification regimes backed by enforcement authority. These frameworks aim to solve real problems, but they depend on precisely the kind of definitional clarity and institutional stability that remain unsettled.
Mind the Gap Between Law and Capability
A more useful starting point is to ask where risk actually attaches.
In most of the scenarios driving concern, the issue is not the existence of a model. It is the availability of particular capabilities, and the conditions under which those capabilities can be accessed and deployed. Ball acknowledged this on EconTalk, noting that legal categories like “surveillance” increasingly fail to track real-world capability once AI scales analysis across commercially available data. That gap between law and capability is exactly where misuse risk emerges.
That framing points to a different set of policy levers—ones focused on capability and access, rather than general system-level oversight.
For example, policymakers could develop more structured approaches to monitoring access to the most sensitive capabilities. Mechanisms that allow providers to detect anomalous use patterns or identify high-risk actors may play a role. Something analogous to know-your-customer (KYC) frameworks for certain high-end access points is at least worth considering, even if it raises its own concerns.
The point is not that this approach is obviously correct. It is that it targets the margin where misuse actually occurs.
The Best Defense Is More AI
There is also a broader dynamic that tends to get lost in these discussions: the same capabilities that create risk are also the tools needed to manage it. Defensive uses of AI are not peripheral. They are central to any plausible equilibrium.
Managing misuse will depend on the widespread deployment of defensive systems that can detect, interpret, and respond to anomalous behavior in real time. Those capabilities will need to spread across firms and, over time, to the local and individual level. Security in this environment will not be centralized. It will depend on the diffusion of capability across the ecosystem.
What changes is not just capability, but scale. Systems that once required scarce human attention can now operate across entire populations. As Ball put it, “AI [creates] ‘millions and tens of millions of analysts.’” That dynamic does not just increase risk; it raises the stakes for how widely defensive capabilities are deployed.
There is an intuitive way to think about this, drawn from early conceptions of networked computing in William Gibson’s cyberpunk novels. Users relied on persistent, individualized defensive systems operating at the edge. However stylized, that intuition points in the right direction. Security scales through distribution, not centralized control.
Frameworks that concentrate evaluation and oversight in a small set of licensed intermediaries risk slowing that diffusion. They may improve certain forms of accountability, but they also push the system toward centralization at precisely the moment when distributed defensive capacity matters most.
A simpler approach may prove more effective: establish clear rules of the road around specific forms of misuse, make those rules legible and enforceable, and then allow firms to operate within those constraints. That structure creates strong incentives to develop both offensive and defensive capabilities in response to changing conditions.
This approach does less from an institutional-design perspective. It does not try to build a comprehensive governance layer over AI systems. It does, however, align more closely with how these systems evolve in practice. It preserves flexibility, supports experimentation, and allows defensive capabilities to emerge and scale more organically.
When Oversight Becomes the Risk
None of this eliminates the tension Ball identifies. The need to manage real risks coexists with a well-founded concern about overbroad intervention. That tension is not going away.
The question is how to navigate it. The answer, in my view, is to be precise about where intervention occurs, resist the pull toward general system-level oversight, and avoid constraining the development of defensive capabilities in the name of safety.
If policy is going to shape this space, it should do so at the margins where it is most effective, while preserving the broader ecosystem that drives both innovation and resilience.
Get the margins right, and the system has room to adapt. Get them wrong, and oversight becomes the risk.
